Shoppers arrive at a Target store in Los Angeles on Thursday. Target says that about 40 million credit and debit card accounts may have been affected by a data breach. / Damian Dovarganes AP

by Chris Woodyard, USA TODAY

by Chris Woodyard, USA TODAY

At the peak of the holiday shopping rush, JPMorgan Chase said Saturday it is putting daily cash and spending limits on about 2 million debit cards that were used at Target stores that could be susceptible to fraud.

It also plans to begin reissuing new cards to customers who could have been affected by the recently revealed data breach affecting 40 million debit and credit card customers who shopped at the nation's second-retailer after Thanksgiving through Dec. 15.

Chase customers will be limited to withdrawing no more than $100 a day from ATMs on the affected debit cards. A statement on the website says tellers will help them at the bank's branches if they need more. In addition, customers with the affected cards will be limited to $300 a day in purchases, Chase says. The limits affect about 2 million of Chase's 23 million card customers.

Chase said it plans to open a third of its branches Sunday to help affected customers. Customers can check chase.com to find out which branches will be open.

The limits will be in effect as Chase begins the process of reissuing the debit cards by mail. The process could take at least two weeks. The bank says, however, that about half of its 5,600 branches in 23 states can issue new cards on the spot for customers who want the limits lifted faster. Late Saturday, Chase said it had decided to open about a third of its branches on Sunday, when they were normally closed, to help affected customers.

The action is being taken because of the data theft involving 40 million debit and credit cards issued by a variety of large banks and used at Target stores from Nov. 27 to Dec. 15. It included cards from all issuers, not just Target's own credit card.

The data included names, numbers, expiration dates and data taken from the magnetic strip when the card is swiped could have been captured by the thieves.

Target has said it does not believe that debit card PIN, the four-digit personal identification numbers, were taken. Plus, the theft only applied to in-store purchases, not those made online.

A Target spokeswoman, Molly Snyder, said Saturday that she was unaware of any other debit or credit issuers yet taking a similar action to Chase.

She said in reaction to the theft, Target has activated a deeper fraud monitoring protocol on its own credit and debit accounts. It is setting up fraud monitoring services for customers affected by the data loss. And it's counseling customers who think they may have been affected on how to obtain a free credit report or change the PIN numbers attached to their accounts.